7.5

CVE-2026-39829

Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangCrypto SwPlatformgo Version < 0.52.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.42% 0.335
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://go.dev/issue/79565
Issue Tracking
https://go.dev/cl/781641
Issue Tracking
https://go.dev/cl/781661
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2480681
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39829.json
https://access.redhat.com/errata/RHSA-2026:29455
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
Mailing List
https://access.redhat.com/errata/RHSA-2026:26546
https://access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://pkg.go.dev/vuln/GO-2026-5018
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36199
https://access.redhat.com/security/cve/CVE-2026-39829
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:36883
https://access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37123